High Street at Cruelery.com

square · 2016-11-15 01:08:19

Creating a new topic to move technical discussion out of the death of privacy thread.

GooberMcNutly wrote:
Baywolfe wrote:
Anybody that knows Java, and the security classes can write a program to generate their own self-signed certificate.
Of course. But the secret with this one is that they got the browsers to accept their root authority, so by design they then trust all of the ones the root authority signs.

The system was originally broken. In order to set up an https site you need a certificate that is sourced from a root. The original idea was to prevent some "secure" site from pretending to be fazebook.com, taking your login and pw, then kicking you out to the real site, harvesting your info. But only if you required https, like everyone should be doing all the time. But to issue you the certificate you had to submit business paperwork and pay a huge fee, when all they do is generate the certificate with their magic key.

But now I guess we aren't as worried about impersonation of banks or whatnot. You just need a plain certificate, accepted by all browsers, that allows you and the web server to sign communications to each other.

But it begs the question. If you can get an easily acceptable key for nothing with no background check, what's the use of a signed certificate chain? Why not just have the browser not care about the root certificate in the chain? (They all currently show a scary message and make you click a couple of times to get around it.) It would be easier to program and it effectively allows the same thing. An easy config change in Chrome or Firefox would create the same "security" to the communication.

To get a Let's Encrypt certificate you still have to prove you control the domain. This is the same process you'd undergo for a cheap certificate from any other certificate authority. It offers basic assurance against an impersonation attack, which a self-signed certificate does not. (Unless, of course, you have some other way to verify its validity.)

Banks and such are (hopefully) using Extended Validation certificates which require a more extensive verification process. These cause the address bar in most browsers to turn green.

Whether the average user knows or notices the difference between these is questionable, but anyone reading this can certainly look for it when deciding whether to type in their banking password.

Auto-edited on 2020-08-02 to update URLs

Last edited by square (2016-11-15 01:09:32)

Baywolfe · 2016-11-15 12:06:16

GooberMcNutly wrote:
To get a Let's Encrypt certificate you still have to prove you control the domain. This is the same process you'd undergo for a cheap certificate from any other certificate authority. It offers basic assurance against an impersonation attack, which a self-signed certificate does not. (Unless, of course, you have some other way to verify its validity.)

But it begs the question. If you can get an easily acceptable key for nothing with no background check, what's the use of a signed certificate chain? Why not just have the browser not care about the root certificate in the chain? (They all currently show a scary message and make you click a couple of times to get around it.) It would be easier to program and it effectively allows the same thing. An easy config change in Chrome or Firefox would create the same "security" to the communication.

It must be having some effect on web security, as my fishing/spoofing emails have dropped to 0.

square · 2016-11-21 01:24:42

Okay, you should now be able to access High Street via HTTPS. You will see warnings/errors about insecure content on some pages - this is unavoidable where users have posted regular HTTP images.

If you encounter internal links in the navigation that take you to the regular HTTP site or banners that come over HTTP when you're viewing an HTTPS page, please post here so we can fix them.

Auto-edited on 2020-08-02 to update URLs

choad · 2016-11-21 02:58:18

square wrote:
If you encounter internal links in the navigation that take you to the regular HTTP site or banners that come over HTTP when you're viewing an HTTPS page, please post here so we can fix them.

Check the address bar on the frontpage. Firefox doesn't seem to know what to make of it.

Emmeran · 2016-11-21 10:23:18

choad wrote:
Check the address bar on the frontpage. Firefox doesn't seem to know what to make of it.

People still use MemoryLeak Firefox?

GooberMcNutly · 2016-11-21 10:26:56

Thank you. Changing bookmark now.

Baywolfe · 2016-11-21 17:02:21

Emmeran wrote:
choad wrote:
Check the address bar on the frontpage. Firefox doesn't seem to know what to make of it.
People still use MemoryLeak Firefox?

Being a browser snob is just, sad.

Emmeran · 2016-11-21 18:12:26

Baywolfe wrote:
Being a browser snob is just, sad.

My life is pretty pitiful actually; but at the same time I can't abide by memory leaks, that's just shoddy workmanship.

square · 2016-11-22 04:44:47

Yeah, the front page needs some work. Haven't done anything with it yet.

Because it pulls posts and presents the contents verbatim, you're going to get a mixed-content warning on the front page since the posts all contain images referenced as plain HTTP. Not sure if there is an elegant solution to this.